• by Wendy Davis  @wendyndavis, July 12, 2018

Computer manufacturer Lenovo has agreed to pay $7.3 million to settle a class-action complaint accusing the company of shipping notebooks with adware that contained security flaws.

The settlement agreement, submitted Wednesday to U.S. District Court Judge Haywood Gilliam in Oakland, California, calls for consumers who purchased the notebooks to receive at least $40, and as much as $750, depending on whether they incurred costs as a result of the adware.

If accepted by Gilliam, the deal will resolve a lawsuit stemming from Lenovo's 2014 decision to install the ad-serving software Visual Discovery -- developed by Superfish -- on new notebooks. Soon after the computers shipped, it emerged that the adware had security flaws.

Visual Discovery inserted ads into a host of web pages, including secure HTTPS pages. To accomplish this, the software tinkered with Windows' cryptographic security, according to reports. The result was that the software allegedly left consumers' encrypted data -- including passwords and bank account numbers -- at risk.

News of Lenovo's deal with Superfish drew widespread criticism from watchdogs like the Electronic Frontier Foundation, which called Lenovo's decision to embed Superfish “catastrophically irresponsible.”

After reports surfaced about Superfish's problems, Lenovo said it stopped preloading the software and shut down server connections that enabled Superfish. The company also posted instructions telling people how to remove the program, and said it was working with McAfee and Microsoft to fix the security vulnerability created by the software.

Lenovo lost a major battle in the class-action in 2016, when a different federal judge -- Ronald Whyte in San Jose -- refused to dismiss allegations that the company violated the Computer Fraud and Abuse Act, a federal anti-hacking law. Lenovo had argued that the acking allegations should be dismissed on the grounds that it never accessed people's computers without authorization, or obtained users' personal information.

Whyte rejected that argument, noting that the hacking claims against Lenovo were based on allegations that the company "conspired to enable Superfish to access the laptops after they were sold to consumers."

Last year, Lenovo settled a complaint about the adware by the Federal Trade Commission and 31 attorneys general. The company agreed to pay $3.5 million to the state attorneys general, and to obtain consumers' explicit consent before pre-installing certain types of ad-serving software. Lenovo also agreed to allow security audits for 20 years.

Gilliam will hold a hearing on the proposed class-action settlement in September.